{"id":3358,"date":"2016-09-20T11:22:50","date_gmt":"2016-09-20T15:22:50","guid":{"rendered":"http:\/\/community.mis.temple.edu\/itacs5211fall16\/?p=3358"},"modified":"2016-09-20T11:22:50","modified_gmt":"2016-09-20T15:22:50","slug":"vulnerability-management-technique-managing-asset-exclusion-to-avoid-blind-spot","status":"publish","type":"post","link":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/2016\/09\/20\/vulnerability-management-technique-managing-asset-exclusion-to-avoid-blind-spot\/","title":{"rendered":"Vulnerability Management Technique: Managing Asset Exclusion to Avoid Blind Spot"},"content":{"rendered":"

The article I read was title Vulnerability Management Technique: Managing Asset Exclusion to Avoid Blind Spots. The article can be viewed at:<\/span><\/p>\n

https:\/\/community.rapid7.com\/community\/nexpose\/blog\/2016\/09\/09\/managing-asset-exclusion-avoiding-blind-spots?CS=social<\/span><\/a><\/p>\n

The author opens the article by discussing recent advances in the maturity of vulnerability management programs, but suggests that one area that needs further development is avoiding asset risk blind spots. One way to do this is to manage excluded assets better. Some assets are excluded from vulnerability scan for various reasons (an example being, the asset has a known vulnerability and vulnerability scanning will cause damage to the system) and as a result, organizations neglect to manage the risks associated with these assets. In fact, many times organizations will put an asset on an exclusion list and practice \u2018set it and forget it.\u2019 \u00a0However, vulnerability management is meant to be a cyclical process. In order to eliminate the blind spot associated with forgotten excluded assets, the author suggests a four step process: <\/span><\/p>\n

1.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>Assessment – identify assets to be excluded<\/span><\/p>\n

2.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>Reporting – run periodic reports on excluded assets<\/span><\/p>\n

3.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>Remediation\/mitigation \u2013 Try to find a solution to the problem that prompted an asset to be excluded.<\/span><\/p>\n

4.<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>Verification \u2013 Reassess assets to determine if they still need to be excluded<\/span><\/p>\n

I found this article interesting as it explores an important niche of vulnerability scanning. While programs\/sites that need to be excluded from vulnerability scanning are the minority, it is still important to have a means of managing those assets rather than taking the set it and forget it approach. Moreover, the cyclical process the author suggests doesn\u2019t just accept that an asset has to be excluded from vulnerability scanning, but rather attempts to find a solution to the root problem necessitating the exclusion. Even if a solution can\u2019t be found, the author\u2019s process will revisit the asset in case new technology or a new approach can lead to a solution. This article takes a valuable approach to vulnerability scanning by advocating the development of the process to be adaptive and as inclusive as possible.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

The article I read was title Vulnerability Management Technique: Managing Asset Exclusion to Avoid Blind Spots. The article can be viewed at: https:\/\/community.rapid7.com\/community\/nexpose\/blog\/2016\/09\/09\/managing-asset-exclusion-avoiding-blind-spots?CS=social The author opens the article by discussing recent advances in the maturity of vulnerability management programs, but suggests that one area that needs further development is avoiding asset risk blind spots. One […]<\/p>\n","protected":false},"author":10497,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[715345],"tags":[],"class_list":{"0":"post-3358","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-week-04-enterprise-architecture","7":"entry"},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/posts\/3358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/users\/10497"}],"replies":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/comments?post=3358"}],"version-history":[{"count":1,"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/posts\/3358\/revisions"}],"predecessor-version":[{"id":3359,"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/posts\/3358\/revisions\/3359"}],"wp:attachment":[{"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/media?parent=3358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/categories?post=3358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/itacs5211fall16\/wp-json\/wp\/v2\/tags?post=3358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}